pgbouncer 1.7 TLS verification issue.

[solyony-igor]

It seems client_tls_sslmode = verify-ca didn't work as it should.
I still able to connect to database using plain TCP without any certificates with this option.

But from documentation:

verify-ca
Client must use TLS with valid client certificate.

[markokr]

Actually I cannot reproduce this. Are you using "sslmode=disable" in libpq connect string?

Could you show me config and psql command line that does this?

[markokr]

Could it be you can log in with TLS but without cert? I see that as possible.

[solyony-igor]

I'm using connection string like this:
postgresql://user:password@pgbouncerhost:11432/database

In this case it use prefer mode:

prefer (default)
    first try an SSL connection; if that fails, try a non-SSL connection

But it should fail, when try to use non-SSL connection.

[solyony-igor]

Also, please note, when I specify sslmode=disable it fails to connect,

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/test/venv/local/lib/python2.7/site-packages/psycopg2/__init__.py", line 164, in connect
    conn = _connect(dsn, connection_factory=connection_factory, async=async)
psycopg2.OperationalError: ERROR:  SSL required

but in case of default sslmode when I didn't specify certificates it work well, but it seems it shouldn't, because I must use TLS with valid certificates.

[markokr]

At least libpq uses SSL if available by default. You need to explicitly disable it to get plain TCP connection.

[solyony-igor]

Okay, but why I was able to connect to database through pgboucer without certificates with client_tls_sslmode = verify-ca ?

[markokr]

Yeah, that is definitely weird. Please test commit (6eccac1) I just pushed out, does that fix it?

[solyony-igor]

@markokr It seems now it works fine.
Will you update archive on page https://pgbouncer.github.io/downloads/ and if yes, what is estimate time?

[markokr]

Couple of weeks perhaps, depending how I have time.

I'd like to look into few other reported bugs as well.

Thank you for the report!